Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Specific image will cause the index of the scan function in scanner.go to go out of bounds #165

Open
pic4xiu opened this issue Jul 14, 2023 · 0 comments
Open

Specific image will cause the index of the scan function in scanner.go to go out of bounds #165

pic4xiu opened this issue Jul 14, 2023 · 0 comments

Comments

@pic4xiu
Copy link

pic4xiu commented Jul 14, 2023

When we use the imaging library to parse a maliciously constructed graph, the scan function of the scanner.go file will have an index out of bounds problem. The verification procedure is as follows:

package main

import (
	"image"
	"os"
	"runtime"

	"github.com/disintegration/imaging"
)

func main() {
	runtime.GOMAXPROCS(1)
	file, _ := os.Open("poc.tiff")
	src, _, err := image.Decode(file)
	if err != nil {
		return
	}
	imaging.Grayscale(src)
}

the poc.tiff is here:https://github.com/pic4xiu/pocRep/blob/main/poc.tiff

what happened

❯ go run poc.go
panic: runtime error: index out of range [70] with length 65

goroutine 3 [running]:
github.com/disintegration/imaging.(*scanner).scan(0x1400002a040, 0x0, 0x0, 0x96, 0x1, {0x140000f0000, 0x0?, 0xf168})
        /Users/**/go/pkg/mod/github.com/disintegration/imaging@v1.6.2/scanner.go:242 +0x3a4
github.com/disintegration/imaging.Grayscale.func1(0x0?)
        /Users/**/go/pkg/mod/github.com/disintegration/imaging@v1.6.2/adjust.go:16 +0xa0
github.com/disintegration/imaging.parallel.func1()
        /Users/**/go/pkg/mod/github.com/disintegration/imaging@v1.6.2/utils.go:33 +0x5c
created by github.com/disintegration/imaging.parallel
        /Users/**/go/pkg/mod/github.com/disintegration/imaging@v1.6.2/utils.go:31 +0xcc
exit status 2

specific reason

The specific statement that causes the program panic is in line 242 of scanner.go: c := s.palette[img.Pix[i]]. When processing this picture, len(img.Palette) is only 65, but img.Pix[i] is indexed to 70 from the beginning, causing an out-of-bounds:

package main

import (
	"fmt"
	"image"
	"os"
	"runtime"

	"github.com/disintegration/imaging"
)

func main() {
	runtime.GOMAXPROCS(1)
	file, _ := os.Open("poc.tiff")
	src, _, err := image.Decode(file)
	if err != nil {
		return
	}
	if img, ok := src.(*image.Paletted); ok {
		fmt.Println(len(img.Palette))
	}
	imaging.Grayscale(src)
}

> go run .\main.go
65
panic: runtime error: index out of range [70] with length 65

image
@pic4xiu pic4xiu mentioned this issue Jul 15, 2023
Closed
@pic4xiu pic4xiu changed the title Maliciously constructed images will cause the scanner.go file index to go out of bounds Specific image will cause the index of the scan function in scanner.go to go out of bounds Jul 15, 2023
@GoVulnBot GoVulnBot mentioned this issue Sep 5, 2023
Closed
@hedhyw hedhyw mentioned this issue Sep 21, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pic4xiu